From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Simmons To: development@lists.ipfire.org Subject: Re: [RFC] unbound: Increase timeout value for unknown dns-server Date: Mon, 11 Jan 2021 23:07:22 -0600 Message-ID: In-Reply-To: <20210110140715.GA598974@vesikko.tarvainen.info> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2748835150175903350==" List-Id: --===============2748835150175903350== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On 1/10/21 8:07 AM, Tapani Tarvainen wrote: > On Sat, Jan 09, 2021 at 12:57:44PM -0600, Paul Simmons (mbatranch(a)gmail.c= om) wrote: > >> I tested the ping (-c1) times for the first 27 IPv4 addresses in the DNS >> server list from the wiki.=C2=A0 I can test more, if desired. >> >> The fastest return was 596ms, and the slowest was 857ms.=C2=A0 At present,= I'm >> using 9.9.9.10 (631ms ping) and 81.3.27.54 (752ms ping). > Wow. That *is* slow. > >> I'm willing to test Tapani's "/etc/unbound/local.d" proposal(s), if >> it will clarify the situation. > I think it would be very useful if you could test if changing the > limits actually helps in your situation. > > It's easy enough to do: e.g., > > echo 'unknown-server-time-limit: 1128' >/etc/unbound/local.d/timeouts > > and restart unbound and see if it makes a difference for you. > > You might also try if non-TLS settings (TCP or UDP) work after that. > Hello, I have some results. The /etc/unbound/local.d/timeouts (+unbound restart) did not completely=20 resolve NTP related lookup failures.=C2=A0 It "seemed" to prevent complete=20 failure, but the first of two lookups, to different pool aliases, did fail. I retained the "timeouts" and changed from TLS to TCP, and haven't seen=20 any lookup failures. Tomorrow, I will experiment using "timeouts" and UDP.=C2=A0 After a day or=20 so, I'll try removing the "timeouts" and repeat the TCP and UDP tests. Thank you! p. --=20 I have a madness to my method. --===============2748835150175903350==--